All news with #mustang panda tag

🛡️ Acronis researchers have identified a new variant of LOTUSLITE, attributed with medium confidence to the Chinese-linked Mustang Panda, being distributed via a banking-themed lure focused on India. The backdoor uses a dynamic DNS HTTPS C2 and supports remote shell access, file operations, and session management, indicating espionage-focused intent rather than financial theft. The campaign begins with a Compiled HTML (CHM) file that embeds a legitimate executable with a rogue DLL and triggers JavaScript fetched from cosmosmusic[.]com to perform DLL side-loading. The implanted DLL, dnx.onecore.dll, communicates with editor.gleeze[.]com, and similar artifacts were found targeting South Korean and U.S. policy and diplomatic communities.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.

🔐 Kaspersky researchers say Chinese espionage group Mustang Panda has updated its CoolClient backdoor to steal browser login data, monitor the clipboard, and sniff HTTP proxy credentials. The upgraded variant has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and was distributed via legitimate Sangfor software. New plugins add a remote shell, enhanced file and service management, and in-memory plugin execution; researchers also noted a previously unseen rootkit used in some intrusions.

🔒 Removable media remains a persistent enterprise risk, enabling both data exfiltration and device-borne intrusion whenever USB drives connect to endpoints. The article highlights evolving threats — including MUSTANG PANDA’s USBFect campaigns (2023–2025) and late-2025 coinminer infections — and high-profile insider exfiltration cases. CrowdStrike recommends a dual approach using Falcon Data Protection to stop sensitive data from leaving endpoints and Falcon Device Control to block or restrict untrusted devices, both delivered via the single Falcon sensor to simplify deployment and reduce operational overhead.

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

🔒 Kaspersky observed Mustang Panda leveraging a signed, previously undocumented kernel‑mode rootkit driver to deliver a new TONESHELL backdoor in mid‑2025 against targets in Asia. The driver, tracked as ProjectConfiguration.sys, uses an old certificate issued to Guangzhou Kingteller Technology Co., Ltd., likely leaked or stolen, and registers as a high‑altitude minifilter to intercept I/O. It spawns an injected svchost.exe and loads a memory‑only TONESHELL implant that communicates with C2 servers and resists disk‑based detection.

⚠️ A new ToneShell backdoor sample attributed to the Mustang Panda group was delivered via a kernel‑mode mini‑filter driver, ProjectConfiguration.sys, in attacks against government organizations in Asia. The signed driver operates as a rootkit: it injects two user‑mode payloads, blocks deletion and renaming, protects service registry keys, and alters WdFilter to interfere with Microsoft Defender. Kaspersky notes this is the first observed kernel‑mode loader for ToneShell and recommends memory forensics and provided IoCs to detect infections. The actor also updated network stealth, moving to a 4‑byte host ID and fake TLS headers.

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

🐍 IBM X-Force reports that China-aligned Mustang Panda is deploying a new USB worm, SnakeDisk, to propagate the Yokai backdoor against machines geolocated to Thailand. The actor also introduced updated TONESHELL variants (TONESHELL8/9) with proxy-aware C2 and parallel reverse shells. SnakeDisk abuses DLL side-loading and USB volume masquerading—moving user files into a subfolder and presenting a deceptive 'USB.exe' lure before restoring originals—to spread selectively on Thailand-based public IPs.

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.